Closed
Bug 921553
Opened 12 years ago
Closed 12 years ago
Fix some rooting hazards that crept into bindings code
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
People
(Reporter: bzbarsky, Assigned: bzbarsky)
Details
Attachments
(1 file)
|
3.07 KB,
patch
|
peterv
:
review+
|
Details | Diff | Splinter Review |
Two things.
1) UnionTypes.cpp ends up with code like this:
nsresult rv =
UnwrapObject<prototypes::id::HTMLVideoElement,
mozilla::dom::HTMLVideoElement>(
cx, &value.toObject(), SetAsHTMLVideoElement());
The second arg is a hazard if the third arg gcs. We should just store that third arg in a stack temporary before we do this code, so we end up with something more like this:
OwningNonNull<mozilla::dom::HTMLVideoElement>& memberSlot =
SetAsHTMLVideoElement();
{
nsresult rv =
UnwrapObject<prototypes::id::HTMLVideoElement,
mozilla::dom::HTMLVideoElement>(
cx, &value.toObject(), memberSlot);
2) ConvertJSValueToByteString has an unrooted JSString on the stack that I think is in fact safe, but it's easy enough to shut up the analysis here by rooting it... and safer in the long run.
|
Assignee | |
Comment 1•12 years ago
|
||
Attachment #811245 -
Flags: review?(peterv)
|
|
Assignee | |
Updated•12 years ago
|
Whiteboard: [need review]
|
||
Updated•12 years ago
|
Attachment #811245 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 2•12 years ago
|
||
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla27
|
||
Comment 3•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•